CVE-2024-33302

Vulnerability

SourceCodester Product Show Room version 1.0 and earlier contains a stored cross-site scripting (XSS) vulnerability in the Add Users functionality. The Middle Name input field does not properly sanitize user-supplied data before storing it in the database [1]. When an administrator or other user views the user list or profile, the malicious script is executed in their browser.

Exploitation

An attacker with the ability to add new users can register an account with a crafted JavaScript payload in the Middle Name field [1]. For example, submitting a payload such as `` as the middle name will cause the script to execute when the user's details are displayed. No special privileges are required beyond the ability to create a user account.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, credential theft, defacement of the application interface, or other malicious actions performed as the victim user [1]. The attack compromises the confidentiality and integrity of user data and application functionality.

Mitigation

As of the publication date, no official patch has been released for CVE-2024-33302. Users should sanitize and encode all user input, especially in fields like Middle Name, to prevent stored XSS attacks [1]. Consider implementing a content security policy (CSP) and using output encoding when rendering user-controlled data. If a newer version is released, upgrading is recommended.